Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/puffycid/artemis

A cross platform forensic parser written in Rust!
https://github.com/puffycid/artemis

dfir digital-forensics incident-response rust

Last synced: about 1 month ago
JSON representation

A cross platform forensic parser written in Rust!

Awesome Lists containing this project

README 

          
# Artemis - A cross platform DFIR application



[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg?style=for-the-badge)](https://opensource.org/licenses/MIT)

[![codecov](https://img.shields.io/codecov/c/github/puffyCid/artemis?style=for-the-badge)](https://codecov.io/github/puffyCid/artemis)

![GitHub Workflow Status (with event)](https://img.shields.io/github/actions/workflow/status/puffycid/artemis/nightly.yml?style=for-the-badge)

![GitHub Workflow Status (with event)](https://img.shields.io/github/actions/workflow/status/puffycid/artemis/audit.yml?label=Audit&style=for-the-badge)



Artemis is a powerful command line digital forensic and incident response (DFIR)

tool that collects forensic data from Windows, macOS, Linux, and FreeBSD endpoints. Its

primary focus is: speed, ease of use, and low resource usage.\

Notable features _so far_:



- Setup collections using basic TOML files

- Parsing support for large amount of forensic artifacts (40+)

- Output to JSON, JSONL, or CSV file(s)

- Can output results to local system or upload to cloud services.

- An embedded JavaScript runtime via [Boa](https://boajs.dev) that allows you to script and create your own parsers and artifacts.

- Timeline support that is compatible with [Timesketch](https://timesketch.org/)



Checkout the online guide at https://puffycid.github.io/artemis-api for in-depth

walkthrough on using artemis



## Quick Guide



1. Download the latest stable release binary from GitHub. Nightly versions also

   [available](https://github.com/puffyCid/artemis/releases/tag/nightly)

2. Run artemis!



```

artemis -h

Usage: artemis [OPTIONS] [COMMAND]



Commands:

  acquire  Acquire forensic artifacts

  help     Print this message or the help of the given subcommand(s)



Options:

  -t, --toml               Full path to TOML collector

  -d, --decode           Base64 encoded TOML file

  -j, --javascript   Full path to JavaScript file

  -h, --help                     Print help

  -V, --version                  Print version

```



An example to example collect a process listing.



```

> artemis acquire -h

Acquire forensic artifacts



Usage: artemis acquire [OPTIONS] [COMMAND]



Commands:

  processes            Collect processes

  connections          Collect network connections

  filelisting          Pull filelisting

  systeminfo           Get systeminfo

  prefetch             windows: Parse Prefetch

  eventlogs            windows: Parse EventLogs

  rawfilelisting       windows: Parse NTFS to get filelisting

  shimdb               windows: Parse ShimDatabase

  registry             windows: Parse Registry

  userassist           windows: Parse Userassist

  shimcache            windows: Parse Shimcache

  shellbags            windows: Parse Shellbags

  amcache              windows: Parse Amcache

  shortcuts            windows: Parse Shortcuts

  usnjrnl              windows: Parse UsnJrnl

  bits                 windows: Parse BITS

  srum                 windows: Parse SRUM

  users-windows        windows: Parse Users

  search               windows: Parse Windows Search

  tasks                windows: Parse Windows Tasks

  services             windows: Parse Windows Services

  jumplists            windows: Parse Jumplists

  recyclebin           windows: Parse RecycleBin

  wmipersist           windows: Parse WMI Repository

  outlook              windows: Parse Outlook messages

  mft                  windows: Parse MFT file

  execpolicy           macos: Parse ExecPolicy

  users-macos          macos: Collect local users

  fsevents             macos: Parse FsEvents entries

  emond                macos: Parse Emond persistence. Removed in Ventura

  loginitems           macos: Parse LoginItems

  launchd              macos: Parse Launch Daemons and Agents

  groups-macos         macos: Collect local groups

  unifiedlogs          macos: Parse the Unified Logs

  sudologs-macos       macos: Parse Sudo log entries from Unified Logs

  spotlight            macos: Parse the Spotlight database

  sudologs-linux       linux: Grab Sudo logs

  journals             linux: Parse systemd Journal files

  logons               linux: Parse Logon files

  rawfilelisting-ext4  linux: Parse the raw ext4 filesystem

  help                 Print this message or the help of the given subcommand(s)



Options:

      --format           Output format. JSON or JSONL or CSV [default: JSON]

      --output-dir   Optional output directory for storing results [default: ./tmp]

      --compress                 GZIP Compress results

      --timeline                 Timeline parsed data. Output is always JSONL

  -h, --help                     Print help



> artemis acquire processes

[artemis] Starting artemis collection!

[artemis] Writing output to: ./tmp

[artemis] Finished artemis collection!



./tmp/local_collector/

8706ce06-ff87-4ea9-8685-c96b64fb2cbe.log  processes_ef308829-a667-496b-b983-d82e7fd7a631.json  status_fedora.log



```